The Unit 1 Individual Project will have you develop a vulnerability assessment / penetration plan that describes the 5 phases of the ethical hacking methodology. Please review the template. You are to provide a 3-page MS Word document that contains a cover page and references, and a completed vulnerability assessment following the format provided below. All citations should also be properly referenced using APA style. Note the cover page and references are not included in the page count.
You have been asked to develop a vulnerability assessment/penetration testing plan and describe the hacking process. After all, the goal of white hat hacking is to ensure the security of the company resources, and documentation is always part of the process. In a 3-page MS Word document, develop a vulnerability assessment for an organization that has a single data center with 3 Unix servers, 3 Windows Servers, an IIS server for website and e-commerce traffic, and an email server.
The network infrastructure is made up of Cisco routers and switches and there are 500 end user host computers running Windows 10, 1 host computer running Windows 95, 100 WIFI 802.11ac routers with WPA2 encryption, and 10 WIFI 802.11b routers running WEP. Develop your paper using the vulnerability assessment template below and also include answers to the following questions:
· What is the hacking methodology and what are its phases?
· How scope is established and why the agreement of the scope is important?
· How ethics come into play when conducting ethical hacking?
Vulnerability Assessment Template
How
One of the first items to consider is the type of test to be performed, internal or external. An internal test focuses on systems that reside behind the firewall. This would probably be a white box test. An external test focuses on systems that exist outside the firewall, such as a web server. This would, more than likely, be a black box test.
Who
Determine if the penetration tester is allowed to use social engineering attacks that target users. It's common knowledge that users are generally the weakest link in any security system. Often, a penetration test can target users to gain access. You should also pre-determine who will know when the test is taking place.
What
The organization and the penetration tester need to agree on which systems will be targeted. The penetration tester needs to know exactly which systems are being tested, and as they cannot target any area that isn't specified by documentation. For example, the organization may have a website they do not want targeted or tested. Some other systems that need to look at include wireless networks and applications.
When
Scheduling the test is very important. Should the test be run during business hours? If so, this may result in an interruption of normal business procedures. Running the tests when the business is closed (during weekends, holidays, or after-hours) may be better, but might limit the test.
Where
Finally, will the test be run on site, or remotely? An on-site test allows better testing results, but may be more expensive than a remote test.
